Cleartext http traffic to server.com not permitted

First step is understanding why Google enforces you to use HTTPS. You can read more about it on the developers page.

As for how to fix it, there are two options:

1) Use HTTPS!

2) Create a new file in your XML folder named security_config.xml and add this:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config cleartextTrafficPermitted="true">
        <trust-anchors>
            <certificates src="system" />
        </trust-anchors>
    </base-config>
</network-security-config>

then in your Manifest file add this

<?xml version="1.0" encoding="utf-8"?>
<manifest ... >
    <application android:networkSecurityConfig="@xml/security_config">

    </application>
</manifest> 

For obvious reasons, the second point is not recommended!


Simple Solution:

Add this line in your manifest:

android:usesCleartextTraffic="true"

because I have faced the same issue with my php page for json api.

It should look like this:

<?xml version="1.0" encoding="utf-8"?>
<manifest ...>
    <uses-permission android:name="android.permission.INTERNET" />
    <application
        ...
        android:usesCleartextTraffic="true"
        ...>
        ...
    </application>
</manifest>

Let's hope it works.


If you don't have the option of using HTTPS, then you can use a network security configuration xml file

<?xml version="1.0" encoding="utf-8"?>
    <network-security-config>
        <domain-config cleartextTrafficPermitted="true">
            <domain includeSubdomains="true">192.168.1.100</domain>
            <domain includeSubdomains="true">http://example1.com</domain>
            <domain includeSubdomains="true">example1.com</domain>
        </domain-config>
    </network-security-config>

Then you need to add it to your <application section in the Android Manifest with this line

android:networkSecurityConfig="@xml/testing_security"

Some alternatives were presented in other answers - i would say that allowing all cleartext traffic is unwise since 3rd party libraries could compromise you. It is best to explicitly define your host targets to minimise the impact of this insecure communication